KBI 310766 New Feature: Argent AT Global Security Objects

Version

Argent Advanced Technology 3.1A-1401-A and later

Date

Monday, 9 Dec 2013

Summary

Argent AT 3.1A-1401-A implements Global Security Objects (GSO) to manage the security of folders and objects, complementing the same features in Argent AT GUI

For a detailed white paper showing how Argent AT Global Security Objects are used, see:

Argent AT Global Security Objects – Best Practices

Technical Background

A command-line interface is also available — for a printable white paper of this documentation, visit:

See Argent AT Global Security Objects – Command-Line Interface


ARGENT_GSO_CLI

This utility manages Global Security Object (GSO)

Only Argent AT product administrator can use this utility successfully

  1. To add or update group/account access for a GSO:

    ARGENT_GSO_CLI -p product -n gso_name [-s group_or_account:denied|view|full]

    Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator

    Argument ‘-n‘ specifies the GSO name. If GSO does not exist, a new GSO should be created

    Argument ‘-s‘ specifies the access right for a group or account, ‘denied‘ for Denied, ‘view‘ for Read Only, and ‘full‘ for Full Access

    Multiple ‘-s‘ arguments can be used to set access for multiple groups and accounts

  2. Remove a group/account access from a GSO:

    ARGENT_GSO_CLI -p product -n gso_name [-r group_or_account]

    Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator

    Argument ‘-n‘ specifies the GSO name

    Argument ‘-r‘ specifies the group or account to remove from the GSO

  3. Delete a GSO definition:

    ARGENT_GSO_CLI -p product -n gso_name -del

    Argument ‘-p‘ specifies the Argent AT product.It is required to determine product administrator

    Argument ‘-n‘ specifies the GSO name

    Argument ‘-del‘ specifies the GSO should be deleted

  4. Verify a group or account against a GSO definition:

    ARGENT_GSO_CLI -p product -n gso_name -v group_or_account

    Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator

    Argument ‘-n‘ specifies the GSO name

    Argument ‘-v‘ specifies the group or account for verifying access of the GSO

    Note: The utility only checks the explicit settings when checking an account

    In other words, the utility does not query Active Directory for groups that the account belongs to

ARGENT_SECURITY_CLI

This utility manages security settings of folder and object in the selected Argent AT product

Only Argent AT product administrator can use this utility successfully

  1. To reset product administrator to product service account:

    ARGENT_SECURITY_CLI -p product -reset_admin

    Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator

    Argument ‘-reset_admin‘ specifies the operation. As only product administrator can manipulate product security

    This is equivalent to reset to factory default

    Note: Customer must logon as the product service account to reset it successfully

  2. Set object or folder security using Global Security Object (GSO):

    ARGENT_SECURITY_CLI -p product -n object_name -type type -s gso -gso

    Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator

    Argument ‘-n‘ specifies the object or folder name

    Argument ‘-type‘ specifies the object type. It can be one of following values:

    • node (CMDB-X node)
    • folder
    • rule
    • relator
    • alert
    • mg (Monitoring Group)
    • ard (Automatic Report Distribution)
    • macro
    • cal (Calendar)

    Argument ‘-gso‘ specifies that GSO is used

    Argument ‘-s‘ specifies the GSO name

  3. Remove GSO from security of object or folder

    ARGENT_SECURITY_CLI -p product -n object_name -type type -r gso -gso

    Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator

    Argument ‘-n‘ specifies the object or folder name

    Argument ‘-type‘ specifies the object type

    Argument ‘-gso‘ specifies that GSO is used

    Argument ‘-r‘ specifies the GSO name

  4. Set object or folder security using explicit group or account:

    ARGENT_SECURITY_CLI -p product -n object_name -type type

    [-s group_or_account:denied|view|full]

    Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator

    Argument ‘-n‘ specifies the object or folder name

    Argument ‘-type‘ specifies the object type

    Argument ‘-s‘ specifies the access right for a group or account, ‘denied‘ for Denied, ‘view‘ for Read Only, and ‘full‘ for Full Access

    Multiple ‘-s‘ arguments can be used to set access for multiple groups and accounts

  5. Remove a group or account from security of Argent AT object or folder:

    ARGENT_SECURITY_CLI -p product -n object_name -type type

    [-r group_or_account]

    Argument -p specifies the Argent AT product. It is required to determine product administrator

    Argument -n specifies the object or folder name

    Argument -type specifies the object type

    Argument -r specifies a group or account to remove

  6. Verify a group or account against the security of Argent AT object or folder:

    ARGENT_SECURITY_CLI -p product -n object_name -type type

    -v group_or_account

    Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator

    Argument ‘-n‘ specifies the object or folder name

    Argument ‘-type specifies the object type

    Argument ‘-v‘ specifies a group or account to verify

  7. Export Argent AT security to a CSV file:

    ARGENT_SECURITY_CLI -p product -export csv

    Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator

    Argument ‘-export‘ specifies the csv file path

  8. Import Argent AT security from a CSV file:

    ARGENT_SECURITY_CLI -p product -import csv

    Argument ‘-p‘ specifies the Argent AT product. It is required to determine product administrator

    Argument ‘-import‘ specifies the csv file path

CSV Format

The Argent AT security export file is in CSV format

Each line can have one of the following format:

  • object type<TAB>object name<TAB>gso
  • object type<TAB>object name<TAB>group_or_account_1:option1,group_or_account_2:option2…

Note: The explicit account/group is specified in format of group_or_account:denied|view|full, while gso is just the name

The separator ‘:’ tells the difference. Multiple account/group names are separated by comma

A sample file is shown as follows:

Resolution

Upgrade to Argent Advanced Technology 3.1A-1401-A or later